ClearAlign Privacy Policy

Effective Date: [02-12-2025]
Company: Evvolabs Pte. Ltd. (“ClearAlign”, “we”, “us”, “our”)
Applies To: ClearAlign Platform, APIs, and related online services.

1. Overview

ClearAlign provides an AI-assisted compliance and governance platform that helps organisations operationalise regulatory frameworks, manage evidence, and maintain continuous audit readiness.

Our privacy approach is straightforward:

  • • We do not intentionally collect personal data.
  • • Customers may upload documents that contain personal identifiers incidentally.
  • • For such data, ClearAlign acts strictly as a Data Processor.

We only process the information required to operate, secure, and enhance the ClearAlign platform, in accordance with PDPA (Singapore), GDPR-aligned privacy principles, and industry-recognised security standards such as ISO/IEC 27001.

By using ClearAlign, you agree to the practices described in this policy.

2. What This Policy Covers

This policy applies to:

  • • ClearAlign’s web platform and interfaces
  • • APIs, dashboards, and backend systems
  • • Support channels operated by Evvolabs Pte. Ltd.

This policy does not apply to:

  • • Customer systems, repositories, and third-party tools
  • • Websites or services not controlled by ClearAlign
  • • Evvolabs employees, contractors, or job applicants (covered separately)

3. Types of Information We Handle

ClearAlign distinguishes between Account Data (where we are the Data Controller) and Customer Content (where we act solely as a Data Processor).

3.1 Account Data (Controller: ClearAlign)

We collect and process limited personal data to create and manage user accounts:

  • • Name
  • • Email address
  • • Authentication and access details
  • • Organisation name
  • • Role and permission level
  • • Contact preferences

This information is required to operate the platform and maintain secure access.

3.2 Customer Content (Processor: ClearAlign)

The ClearAlign platform allows customers to upload and manage:

  • • Policies, procedures, and regulatory mappings
  • • Risk registers and control documentation
  • • Evidence files, logs, screenshots, audit packages
  • • AI prompts and generated outputs
  • • Workflow data (reviews, approvals, comments)

Although ClearAlign does not request personal data, these documents may incidentally contain personal identifiers, such as:

  • • Names or titles of staff
  • • Email addresses or usernames shown in logs
  • • Approvers, reviewers, or policy owners
  • • Audit trail attributions

For all Customer Content, the customer remains the Data Controller. ClearAlign processes such content only based on customer instructions.

3.3 Technical & Security Logs

To operate and secure the platform, we process:

  • • Login timestamps and session activity
  • • IP address, device, and browser metadata
  • • Workflow event logs
  • • API usage logs
  • • Diagnostic data for error resolution

These logs support security, auditing, and troubleshooting.

3.4 AI Inputs & Outputs

When customers use AI features, ClearAlign processes:

  • • Prompts and instructions entered by users
  • • AI-generated results
  • • Metadata such as timestamps, model version, and confidence indicators

3.5 AI Governance Disclosure

  • Customer prompts and outputs are not used to train public or foundation models.
  • ClearAlign uses model providers (e.g., Azure OpenAI, Fireworks) only for inference.
  • We do not retain AI inputs or outputs for any purpose other than delivering the service, unless the customer stores them as part of their workflow.
  • • Aggregated and anonymised analytics may be used to improve system reliability, UI/UX, and AI behaviour — never tied to identifiable content.

4. How We Use Information

ClearAlign uses information strictly for platform operation, security, and improvement.

4.1 Service Delivery (Processor Role)

For Customer Content, we act only on behalf of the customer to:

  • • Process documents and evidence
  • • Support clause mapping, lineage, and workflow routing
  • • Generate AI-assisted analysis under customer control
  • • Provide audit trails, reports, and compliance views

We do not reuse customer documents for product development, analytics, or model training.

4.2 Platform Operations (Controller Role)

For Account Data and operational logs, we use information to:

  • • Authenticate and authorize access
  • • Monitor platform performance and security
  • • Diagnose and resolve issues
  • • Provide updates, support, and account notices
  • • Generate anonymised usage analytics
  • • Improve platform functionality and stability

We do not sell personal data. We do not use account data for advertising.

4.3 Explicitly Prohibited Uses

ClearAlign does not:

  • • Train AI models on customer-uploaded content
  • • Mine customer content for features or datasets
  • • Share customer content with third parties except sub-processors
  • • Access customer content except when required to support the service
  • • Use personal identifiers for marketing or profiling

5. Data Retention

ClearAlign retains data only as long as necessary and according to the role of the data.

5.1 Customer Content

  • • Stored only as long as the customer keeps it in the platform
  • • Deleted immediately upon customer request or account closure
  • • Backups purge automatically according to system cycles (e.g., 30–90 days)

Customer controls the retention of Customer Content entirely.

5.2 Account Data

  • • Retained for the duration of the user account
  • • Deleted upon request or account closure except where required by law

5.3 Technical & Security Logs

  • • Retained for 90–180 days, unless needed for incident response or legal obligations
  • • Aggregated statistics may be retained without identifiers

5.4 AI Metadata

  • • Retained only as needed to provide the service
  • • Not used to train models
  • • Not retained beyond workflow needs unless saved by customer

6. Sharing and Sub processors

ClearAlign does not sell data. We may share information with trusted service providers who assist us in delivering the platform, including:

  • • Cloud infrastructure
  • • AI inference providers (Azure OpenAI, Fireworks)
  • • Email delivery providers (e.g., SendGrid)
  • • Security, monitoring, and analytics tools
  • • Support and incident response providers

Sub processors are required to:

  • • Process data only under ClearAlign’s instructions
  • • Maintain confidentiality and security
  • • Comply with applicable data protection laws
  • • Never use customer data for their own purposes

A list of sub-processors is available upon request.

7. International Data Transfers

Data may be processed or stored in Singapore, India, or regions where sub processors operate.

We implement safeguards consistent with PDPA, Thai PDP Act, GDPR principles, and contractual requirements, including:

  • • Regional hosting preferences
  • • Encryption in transit and at rest
  • • Data Processing Agreements
  • • Standard Contractual Clauses (where applicable)

8. Security Measures

We implement industry-standard security controls consistent with our ISO/IEC 27001-certified information security management system, including:

  • • Encryption of data at rest and in transit
  • • Role-based access control (RBAC)
  • • Strict identity and access management (IAM) policies
  • • Network and application-level firewalls
  • • Continuous monitoring, logging, and audit trails
  • • Secure software development and code review practices
  • • Segregation of customer workloads and environments
  • • Regular vulnerability assessments and security testing

We also apply privacy-by-design and responsible-AI principles to ensure that data is handled securely and with minimal exposure throughout the platform.

9. Cookies & Similar Technologies

ClearAlign uses cookies to:

  • • Authenticate sessions
  • • Maintain user preferences
  • • Improve performance
  • • Provide basic analytics

We do not use cookies for advertising or behavioural profiling.

10. Children’s Data

ClearAlign is not intended for individuals under 18. We do not knowingly process children’s data.

11. Your Rights

Depending on your jurisdiction, you may have the right to:

  • • Access your Account Data
  • • Correct inaccurate information
  • • Request deletion of your account
  • • Withdraw consent for marketing communications
  • • Request a copy of data we process as a controller

Requests regarding Customer Content must be directed to the customer organisation, as they are the Data Controller.

12. Updates to This Policy

We may update this policy periodically. Updated versions will be posted with a revised Effective Date. Continued use of the platform indicates acceptance.

13. Contact Us

For privacy or data protection questions, contact:

Evvolabs Pte. Ltd.

Singapore

Email: info@clear-ai.ai